“I am calling you from Windows”: A tech support scammer dials Ars Technica

When the call came yesterday morning, I assumed at first I was being trolled—it was just too perfect to be true. My phone showed only "Private Caller" and, when I answered out of curiosity, I was connected to "John," a young man with a clear Indian accent who said he was calling from "Windows Technical Support." My computer, he told me, had alerted him that it was infested with viruses. He wanted to show me the problem—then charge me to fix it.

This scam itself is a few years old now, but I had not personally received one of the calls until yesterday—the very day that the Federal Trade Commission (FTC) announced a major crackdown on such "boiler room" call center operations. The very day that six civil lawsuits were filed against the top practitioners. The very day on which I had just finished speaking with Ars IT reporter Jon Brodkin, who spent the morning on an FTC conference call about this exact issue. And here were the scammers on the other end of the line, in what could only be a cosmic coincidence.

I walked around my office with the phone against my ear, then settled into my desk chair and put the call on speakerphone. I wanted to know just what it felt like to be on the receiving end of such a call. I wanted to know how a group of scammers half a world away convinced random and often tech-illiterate people to do things like run the built-in Windows Event Viewer, then connect to a website, download software, and install it (together, no easy feat for many mainstream users). I wanted to know just how the scammers eventually convinced their marks to open up remote control of their PCs to strangers who had just called them on the telephone.

So I played along—which was difficult without a Windows PC in my office. To buy time, I told the scammer that I was waiting for my nonexistent computer to "boot up," then sent a furious blast of instant messages to Brodkin, asking him to do whatever the scammer told me to do and report back on the results. Luckily he was at his computer and immediately agreed—and we were off.

Typing, furiously

The scammer got right to it, as though it were a common thing for unknown callers to have me start rooting around inside my computer. I was immediately ordered to go to the Windows Start menu, then to right-click on "Computer."

"Can you tell me what options are you getting?" said the scammer.

"Ummm... just a second."

Furious typing followed, which must have been plainly audible, as I passed the instructions to Brodkin. Who knows what the scammer thought of this. It must have been clear that at the very least I was a serious incompetent who, when ordered to click some simple mouse buttons, instead began typing the Great American Novel. Yet my scammer showed a patience I had not expected.

"Maybe I'm not clicking on the right thing," I said in an effort to buy more time as Brodkin fired up a Windows virtual machine. "Where is it, on the Start menu?"

The scammer explained it all again. I was to right-click on Computer and tell him what I saw. I began to wonder just how long he would stay on the line without me providing a response when Brodkin got the VM running and typed back the correct responses. I passed them along.

"OK, it says Open or Manage," I said.

I was told to double-click Manage, then to select the Event Viewer from the Computer Management window that appeared.

"Below the Event Viewer, what options can you see?" my scammer asked.

(More furious typing.)

I knew already a key part of the scam involved showing people innocent error messages in the Windows Event Viewer, then trying to convince them these were caused by a virus. So I decided to guess what I should be seeing—and I got it wrong.

"I see a list of these different warnings or something. I dunno."

"No, sir, you have to double left click on Event Viewer. Just do it again."

Brodkin came through with the answers. "Okay, it says Custom Views, Windows Logs, Applications, and Settings," I said, reading right out of my instant messaging client.

"Yeah. Yeah. You have to double left click on Windows Logs, all right?"

"Okay, doing it."

"And below the Windows Logs, what options can you see?"

(Even more furious typing. That novel was really coming along now by the sound of things.)

"What options are you getting?" he repeated.

"Applications, Security Setups, Forwarded Events..." I said at last.

"Yeah, that's correct. You have to double left click on Applications, OK? And now what can you see from your computer screen?"

Because my scammer appeared to be a man of infinite patience, I simply waited ten seconds in silence and then repeated stupidly, "What can I see?"

"Yeah. what can you see?"

Scary errors in the Windows Event Viewer.

Brodkin's instant messages arrived, telling me that I was in fact seeing an error message.

"Um, I see some kind of error message."

"Yeah. These are the error messages which we get through your computer by date and time. This is the application part of your computer, OK? Let me check the system part of your computer, OK? Look at the right hand side—there's an option for Filter Current Log. Can you see Filter Current Log? Yeah, you have to double left click on Filter Current Log, OK? And there's a new box that came on your screen, and you have to check mark the options 'critical warning' and 'error.'"

"OK."

(But instead of clicking anything, I am of course typing to Brodkin. Furiously. The clack of the keys seems unbearably loud. Isn't he getting suspicious?)

"OK... Clicking 'critical warning' and 'error'... now it says 'warning and error.'" I had no idea if this even made sense, but it was what Brodkin had typed, and the scammer seemed to accept it.

"Yeah. Sir, these are the [garbled] viruses in your computer. They may harm your computer at any point of time. And these viruses are corrupting your data and using your personal information like that. So do one thing: can you try to delete any error, any warning?"

"Any one of them?"

"Yeah. Is it deleted or not?"

"How do I delete it?" I asked, not having done anything. But my scammer's patience was starting to slip. He simply went on as though I was in fact looking at a scary list of errors that could not be removed.

"It's not deleting," he informed me. "Yeah, sir, these are un-deletable viruses."

"I am calling you from Windows"

The main website.

The scammer then directed me to "open your Internet Explorer" and visit a specific website. It was a basic free-to-create website labelled "Windows PC Tech Support." The company behind it, said the site's front page, had "deep experience in a full balance of practice areas. All working in cycle, at one place." Well—I like working in cycles, at one place, so this all sounded fine.

I told my scammer that the page had loaded. He directed me past the "About Us" tab ("At ALL times we hold the highest ethics and quality is the pre-requisite of everything we do") and past the "Services" tab ("So just come out of a doubtful and unsure situation and call for a support package") and over to "Instant Support."

The instant support page showed four links: Ammyy V3, Ammyy V2, TeamViewer, and ShowMyPC. All four pieces of software allow another machine to access your computer directly, across the Internet, for all sorts of quite legal and useful reasons. But they also make it simple for a cold-caller from India to rule your computer by tricking you into giving him permission to do so.

"You have to click on Ammyy V2," said my scammer. "And there is a new box which says run, save, or cancel. You have to click on run, OK?"

Come on—he was going to have work a little bit harder than that.

"Well, I don't know much about computers," I said, "but I know that I don't want—I dunno—just software from the Internet running on my computer."

"Sir, it's a connecting software to help you out, OK?" he said.

"Well, but... who are you with, again?"

"Sir, my name is John. I am calling you from Windows, OK?"

"What do you mean you're calling me from Windows?"

"Sir, because we are getting some information and warning like that. So click on 'run.'"

I wanted to see more of this process unfold, so I asked him to "tell me how to do it on my computer and I'll just do it. You can walk me through the steps."

"Sir, you are the Windows customer and you are registered here in Windows Company so that's why we are calling you," he said, one of several incongruous responses that made me feel like I was speaking with a chat bot instead of a human being. We continued:

"I'm sorry, I don't know anything about a 'Windows Company.' Do you mean Microsoft?"
"No, it's not a Microsoft, it's a Windows Technical Department, OK? And I am the Windows technical provider to help you out, OK?"
"OK, but I'm still... I didn't call you, you called me, so it seems kind of strange. I don't know if I want to let some program run on my computer."
"Sir, we are getting some information from your computer, some harmful information because these informations are damaging the [garbled] and some important [garbled] like that."
"You mean, I have viruses in my computer and you know about it somehow?"
"Yeah. Yeah."
"Wow."

Again he asked me to click "run." He was quite insistent on the point, coming back to it immediately every time the conversation veered away. Just. Click. Run.

So here it was—decision time. Was I willing to turn Brodkin's Windows install over to "John" from "Windows Technical Support" in order to clear it of the many viruses the Event Viewer showed? I decided that I was—in the name of journalism, of course.

"The line" is drawn here.

The manager

But Brodkin wasn't. "Not sure I trust this!" he IMed me. "I don't want to let them into my PC. I draw the line there."

VM or no VM, he didn't want strange people controlling his main work computer, which was probably just as well. With the line drawn and little more to gain from the phone encounter, I switched gears. "So you're aware that this is a scam that you're pulling, right?" I said. "And that the US government has announced today a huge crackdown on exactly what you're doing?"

I expected John to hang up; clearly, I knew about his game. But he didn't miss a beat.

"No sir, I assure you, sir, it's not a scam. You can talk to my manager. I'm calling you from Windows."

"Oh, okay," I said; I mean, the guy was calling me from Windows. "Can I talk to your manager just to make sure?"

After a few seconds, another voice came on the line. He was the manager, he told me, and he laid out the whole situation.

"Sir, let me tell you, like when you buy an operating system like Microsoft Windows, we are the one who are able to provide the technical support regarding this operating system, OK? Microsoft never provides support for the Windows operating system and we are having official [garbled] of Microsoft, and that's why you are receiving this call."

"So you're like partners with them, you help them do support?" I asked.

"Right. And that's why my colleague has given you a call, because your computer was full of viruses. Whenever you are going on Internet, you are getting the viruses from the Internet. And you have also noticed that for the past few weeks your computer has been running a bit slow, right?"

"Yeah, it's been really slow," I agreed.

"That is all because of the viruses, sir... We are going to tell you how you can rectify all these problems from the computer."

I knew exactly how the problem would eventually be "rectified"—with my credit card. One Ars reader noted just how bad the situation could get when commenting on the FTC crackdown, writing, "One of my clients fell for this scam. Unfortunately, he paid over $500 to the scammers. When he refused to pay any more, they actually locked the computer, told him he wouldn't be able to use his computer anymore, and hung up on him."

With the call quickly coming to the end of its useful life, I decided to switch gears one last time.

"So are these viruses that I could get on a Mac or this is only on my Windows computers?"
"This is only for the Windows operating system. Viruses are not there in Macs. Mac is a virus-free edition."
"Oh, okay, it's a virus free edition."
"Right. Mac doesn't have viruses. Viruses are only there for Windows PCs."
"I have a question for you, then. I don't actually have any Windows PCs, I only run Macs. So I'm wondering how you found out I had viruses?"
"No, no. I think that you are having a partition of a Windows operating system in a Macintosh."
"No, I don't think so."
(Pause.)
"You are using Mac?"
"Let's be honest here. You guys are scamming me, and the US government just announced a major crackdown today on exactly what you guys are doing and I just wondered if you had any comment about that?... Hello?"

And with that, he was gone, having better sense than to waste any more time on me. No wonder he was the manager.

Calling Do Not Call

Such scams have proliferated around the globe, and their operators aren't very creative; many of them use nearly identical pitches. It can't be a fun job; an entire amateur industry has arisen around trolling the scammers, as did Australian Troy Hunt, who earlier this year set up a Windows virtual machine with the Dutch language selected just to see what would happen when he actually gave control of the machine to the scammers. (Hunt also tracked down and did an interview with the person behind one of the companies alleged to be a leader in this sort of activity; the man denied knowing anything about it.)

The scams have cost people around the world quite a bit of money, with scammers asking anywhere from $49 to $450 to fix the nonexistent problems they discover. The calls appear to be largely about making money, but there's no reason that such powerful remote access could not be used to install malware, build up botnets, participate in denial of service attacks, or steal personal information.

The companies behind such calls generally show a total disregard for local laws against telemarketing, but they aren't the only ones to do so. Just today I received two automated recordings, which also ignored the Do Not Call list here in the US, pitching me on the old "Card Member Services" scam and something separate involving home break-ins and security. While Do Not Call laws have stopped most reputable companies from harassing people over the telephone, they have had only limited effect against those whose reputation can't go any lower.

While the entire call seemed farcical—who would possibly fall for this?—people clearly do, all the time. Sure, it wasn't going to work on me, but I could easily imagine several members of my own extended family who might have had a harder time recognizing the fact that this was not legitimate.

The clear sense of impunity felt by the scammers was enraging. I had wasted a few minutes of his time, but who cared? Even now John was on to his next mark, ready to rope in the "manager" when needed, ready to lie about the Windows Event Log, ready to demand that someone just click "run." He may have assumed that no police officer would come knocking on the boiler room door; hopefully, yesterday's international enforcement efforts will at least sow the seed of doubt.

1. I have gotten repeated calls from Computer Technical Services, similar opening pitch. I hang up, but have been curious how the scam unfolds.

2. I did not know about event viewer. I followed the instructions, looked at the errors, and got info on a lockup problem involving mv91xx.sys. I am following up to see if I can get a new driver that will work better.

So the irony is that their scam call may help me fix a real problem ;-).

A friends in laws fell for this, my own sister in law had the sense to txt me to get my go ahead to let them in her computer and even when I told her it was a scam she tried to argue that they seemed genuine.

I'm kind of shocked you had to IM Brodkin to fake performing these activities...

Why? I very rarely use Macs and would have to get someone to feed me the lines if a similar Mac based thing happened to me. It is inconceivable to you that a Mac user would not know all the context-menus in Windows off the top of his head?

Another funny thing to do if you get a call like this, is to do a web search for whatever website they tell you to go to and ask "Why does it say this is a scam website when I search for it?". They will make up excuses that there are other websites with the same name or that Google is wrong or whatever.

I'm kind of shocked you had to IM Brodkin to fake performing these activities...

Why? I very rarely use Macs and would have to get someone to feed me the lines if a similar Mac based thing happened to me. It is inconceivable to you that a Mac user would not know all the context-menus in Windows off the top of his head?

i see no basis for argument, myself. satisfyingly reverse-social-engineered.

Windows is not the only target. There is a considerable industry emerging around fake Google support as well. I had one client lose $300 trying to solve a gmail problem. Her account was found to have been sending virus spam or something, so "Google" helpfully called to clean her computer. They installed one of the fake antivirus tools, and it did all the rest -- fake alerts, fake solution, real payment info window.

I've noticed an increase of these incidents being reported on Microsoft's community forums. Luckily most of the people who post there get suspicious and cut the call off, but I wonder how many more have fallen for it.

It would help if real companies didn't use Indian-accented poorly scripted customer service reps so often. That sounded exactly like my last call to T-Mobile's prepaid service line. It gives them an edge of authenticity.

My grandfather was scammed this way twice. I had to go over and reformat their computer, we had to cancel their credit card, it was a huge pain.

He was a mechanic, so we finally put it to him this way: "if some random person walked up to you and said 'hey your car there is making a funny noise, believe me I know cars, just give me your keys and I can fix it up', would you? No... this is the same thing"

He hasn't been scammed again. Thankfully their computer has nothing on it so it wasn't a big deal to reformat.

I'm kind of shocked you had to IM Brodkin to fake performing these activities...

Why? I very rarely use Macs and would have to get someone to feed me the lines if a similar Mac based thing happened to me. It is inconceivable to you that a Mac user would not know all the context-menus in Windows off the top of his head?

Of course *most* Mac users wouldn't know this. I think perhaps he's expressing the sentiment that it's odd that a key editor at Ars lacks familiarity with and even access to the world's most widely used operating system.

Happened to me, and I had fun. I was called at a point in my day where I had some time, and since I love a good game, I played along. I put on my best "too stupid for words" mask and had them try to "help" me for nearly twenty minutes before I finally got bored and said "you know, I'm just stringing you along so that I can pick up the IP address you're trying to connect me with..." Click. I'd like to think that by having them waste time with me, a potential victim might have been spared. Or, possibly, that I gave "John" a tension headache.

My grandfather was scammed this way twice. I had to go over and reformat their computer, we had to cancel their credit card, it was a huge pain.

He was a mechanic, so we finally put it to him this way: "if some random person walked up to you and said 'hey your car there is making a funny noise, believe me I know cars, just give me your keys and I can fix it up', would you? No... this is the same thing"

He hasn't been scammed again. Thankfully their computer has nothing on it so it wasn't a big deal to reformat.

i think this is a universal lesson: try to boil it down into a straightforward analogy that solidly communicates the point. it's cheaper than helping uncle grandfather clean up the mess.

A user at one of my high schools (a high school principal) got *got* for about $40k. With the information found on his machine, the attackers sacked his savings account and opened a line of credit . They essentially remoted into his machine, installed something and never got out. The callers pretended to be from AT&T, his ISP.

He called me asking if there's anything I could do. I told him to call the police. The authorities have a lead, but it's not looking hopeful.

I'm kind of shocked you had to IM Brodkin to fake performing these activities...

Why? I very rarely use Macs and would have to get someone to feed me the lines if a similar Mac based thing happened to me. It is inconceivable to you that a Mac user would not know all the context-menus in Windows off the top of his head?

Of course *most* Mac users wouldn't know this. I think perhaps he's expressing the sentiment that it's odd that a key editor at Ars lacks familiarity with and even access to the world's most widely used operating system.

I'm kind of shocked you had to IM Brodkin to fake performing these activities...

Why? I very rarely use Macs and would have to get someone to feed me the lines if a similar Mac based thing happened to me. It is inconceivable to you that a Mac user would not know all the context-menus in Windows off the top of his head?

Of course *most* Mac users wouldn't know this. I think perhaps he's expressing the sentiment that it's odd that a key editor at Ars lacks familiarity with and even access to the world's most widely used operating system.

I don't lack familiarity with Windows, nor do I lack access. But my Windows laptop was in another room and I wasn't about to go on the hunt for it with this guy on the phone. I quite freely admit to not having things like Event Viewer option settings memorized, however.

A client of mine ran into a similar thing with a piece of malware that locked out his machine with a splash screen that would only go away if he put in his credit card information to pay $500 to the FBI to have the PC cleaned.

He called me freaking out about it, but at least had the sense to not pay the money. With some of the people I provide support for locally, I can definitely understand how they end up making so much money through these types of scams.

How about getting them to talk on the phone for a while, then say "oh great! You've talked long enough for us to track your location and we are sending an armed cleanup team to clean out your operations. You have about 2 minutes before they start shooting."

There were a warning in Denmark about this kinda scam as well, originating in India. But those ones directed you to Microsoft Security Essentials, and charged you 500USD (roughly).

The program they talked you through installing is of course free, but it is actually a fine program that would help if the victim did ever get a virus.

I mean, if those people are not going to do anything with their trojan, why shouldn't they indeed install a real virus killer? Especially when they can direct you a real official page that fits perfectly into their MO.

I'm kind of shocked you had to IM Brodkin to fake performing these activities...

Why? I very rarely use Macs and would have to get someone to feed me the lines if a similar Mac based thing happened to me. It is inconceivable to you that a Mac user would not know all the context-menus in Windows off the top of his head?

Of course *most* Mac users wouldn't know this. I think perhaps he's expressing the sentiment that it's odd that a key editor at Ars lacks familiarity with and even access to the world's most widely used operating system.

Personally, I never do anything in Windows without checking the Event Viewer first.

A friends in laws fell for this, my own sister in law had the sense to txt me to get my go ahead to let them in her computer and even when I told her it was a scam she tried to argue that they seemed genuine.

This bothers me a lot, when people admittedly do not know very much about computers, call you for advice, and then argue with you when you tell them what to do.

It would be really great if some group like 419eater was formed that each ran a Honeypot VM that would in fact infect the scammers' servers and desktop when they connected. And maybe got one of the scammers to carve a keyboard out of a block of wood.